How to Connect n8n to Salesforce in 2026 (Step-by-Step External Client App Setup)

How to Connect n8n to Salesforce in 2026 (Step-by-Step External Client App Setup)

If you searched for how to connect n8n to Salesforce and followed the first tutorial you found, there’s a decent chance it blew up on you. Probably not because you did anything wrong. Salesforce changed the rules over the last few months, and most of the guides still out there describe a setup that Salesforce has since switched off.

Two things changed. First, you can no longer create the old “Connected App” that every tutorial points you to. Salesforce finished disabling that across all orgs by Spring ‘26, and the replacement is the External Client App. Second, a security mandate that took effect in May 2026 added new OAuth requirements like PKCE. And there’s one gotcha that cost me an afternoon: n8n always asks Salesforce for the full OAuth scope, and if your app doesn’t allow it, you get a useless OAUTH_APPROVAL_ERROR_GENERIC and no explanation.

So instead of making you extrapolate, here is the literal click-by-click that works as of mid-2026. Follow the parts in order. Part 1 is in n8n, Parts 2 through 7 are in Salesforce, and Part 8 finishes back in n8n.

Before You Start

You’ll need a Salesforce System Administrator login and access to your n8n instance. Open both in separate browser tabs. This guide assumes a self-hosted n8n, which matters in one spot (the IP relaxation step), and I’ll call it out when it does.

Part 1: Get the n8n Callback URL First

You need one value from n8n before you touch Salesforce, and it has to match later character for character. Do not type it from memory.

1. In n8n, click Credentials in the left sidebar, then Add Credential (top right).
2. Search for and select Salesforce OAuth2 API.
3. Near the top of the credential, n8n shows an OAuth Redirect URL. It looks like https://your-n8n-domain/rest/oauth2-credential/callback.
4. Copy that whole URL and paste it somewhere handy. You’ll need it in Part 4.
5. Leave this n8n tab open. You come back to it in Part 8.

Part 2: Confirm You Can Create External Client Apps

1. In Salesforce, click the gear icon (top right), then Setup.
2. In the Quick Find box (top left of Setup), type External Client App Settings.
3. Click External Client App Settings.
4. Make sure Allow creation of External Client Apps is turned on.

If that toggle is greyed out or missing, your user may not have the right permission, and you’ll want a fuller admin to step in here.

Part 3: Create the Integration User

This is the dedicated account n8n logs in as. Use a dedicated Integration User, not your own login: it survives staff changes, keeps a clean audit trail, and lets you grant least privilege. Salesforce gives every org five free Salesforce Integration licenses for exactly this, so you don’t burn a paid seat.

1. In Setup Quick Find, type Users and click Users.
2. Click New User.
3. Fill in the name and email. Make sure the email is a live mailbox, because you need it to set the password and Salesforce sends OAuth verification codes there later.
4. Set User License to Salesforce Integration.
5. Set Profile to Minimum Access - API Only Integrations.
6. Set the correct Time Zone and Locale.
7. Click Save. Salesforce emails a verification link. Open it in a private/incognito window (so you aren’t logged in as your admin user) and set a password for this new user.

Part 4: Create the External Client App

1. In Setup Quick Find, type External Client App Manager and click it.
2. Click New External Client App (top right).
3. External Client App Name: something like n8n Integration. The API Name fills in automatically.
4. Contact Email: your email. This field is purely administrative, so don’t overthink it.
5. Distribution State: Local (this app only runs in your own org).
6. Click Create.

Now configure OAuth on the app you just created:

7. Open the app, find the API (Enable OAuth Settings) section, and click Edit (or open the Settings tab, then the OAuth Settings subsection).
8. Check Enable OAuth. If this checkbox is greyed out, the usual reason is that the new app record hasn’t been saved yet, or you’re on the read-only overview screen where the checkbox is just a status indicator. Save the app, reopen it in edit mode, and the checkbox comes alive.
9. Callback URL: paste the n8n Redirect URL you copied in Part 1. It must match exactly.
10. OAuth Scopes: move these from Available to Selected:
    • Full access (full). This one is required. n8n’s Salesforce node always requests the full scope during authorization, and if the app doesn’t allow it, the connection fails with OAUTH_APPROVAL_ERROR_GENERIC. This does not over-grant access, because the Integration User can still only touch what its permission set allows (Part 6). The OAuth scope is a ceiling; the permission set is the real guardrail.
    • Perform requests at any time (refresh_token, offline_access).
11. Flow Enablement: check Enable Authorization Code and Credentials Flow. A sub-option appears: Require user credentials in the POST body for Authorization Code and Credentials Flow. Leave it unchecked. Unchecked lets Salesforce accept the client credentials in either the POST body or the header, which matches how n8n sends them.
12. PKCE: uncheck Require Proof Key for Code Exchange (PKCE). In practice n8n’s Salesforce node does not complete a PKCE challenge in this flow, and leaving it required produces an OAUTH_APPROVAL_ERROR_GENERIC / invalid-code-verifier failure at connect time.
13. Click Save. Allow 2 to 5 minutes for the OAuth and scope changes to propagate before you try to connect. Connecting too soon makes you think something is broken when it’s just slow.

Part 5: Set the App Policies

1. Still on the n8n Integration app, open the Policies tab and click Edit.
2. Permitted Users: select Admin approved users are pre-authorized.
3. IP Relaxation: select Relax IP restrictions. If your n8n is self-hosted, its outbound IP is not on Salesforce’s trusted list, and skipping this gets your logins blocked.
4. Refresh Token Policy: select Refresh token is valid until revoked (or the longest your org allows), so the connection doesn’t silently expire.
5. Click Save.

Because you chose “Admin approved users are pre-authorized,” you now have to grant the Integration User access. The cleanest way is the permission set in Part 6.

Part 6: Create and Assign the Permission Set (Least Privilege)

This grants the Integration User the minimum it needs. The example below uses the Contact object; swap in whatever objects and fields you’re actually syncing.

1. In Setup Quick Find, type Permission Sets and click it.
2. Click New.
3. Label: n8n Integration. License: Salesforce API Integration. Click Save.
4. Open the new permission set, click Object Settings, then Contacts (or your object).
5. Click Edit. Under Object Permissions, grant Read and Edit. Then grant Edit on the specific fields you map. Click Save. (You’ll add the Create permission in Part 7, which is separate and easy to miss, so it gets its own step.)
6. Go back to the permission set overview, click Manage Assignments, then Add Assignment, select the Integration User, and Assign.

Then tie the permission set to the app:

7. Back in External Client App Manager, open n8n Integration, then the Policies tab.
8. Under the OAuth policies, add the n8n Integration permission set (or the Integration User’s profile) to the pre-authorized list. Save.

Part 7: Allow the Integration to Create Contacts

By default, the permission set you just made lets the integration read and edit Contacts but not create new ones. Creating records is a separate, object-level permission, and it is the single most commonly missed setting in this whole process. There is no per-field “create” setting to go looking for. Once you turn this on, every field the integration can already edit can also be filled in on a brand new record.

1. In Setup Quick Find, type Permission Sets and click it.
2. Open the n8n Integration permission set.
3. Click Object Settings, then Contacts (or your object).
4. Click Edit (top right).
5. Under Object Permissions, check the Create box. (Read and Edit should already be checked. Leave them on.)
6. Click Save.

Part 8: Connect n8n to Salesforce

First, grab the app’s keys:

1. In External Client App Manager, open n8n Integration and go to Settings, then OAuth Settings.
2. Find Consumer Key and Secret and click Reveal (or Manage Consumer Details). Salesforce may send a verification code to your user’s Email address first, so make sure that mailbox is one you can open.
3. Copy the Consumer Key and the Consumer Secret.

Now finish the n8n credential from Part 1:

4. Environment: select Production.
5. Client ID: paste the Consumer Key.
6. Client Secret: paste the Consumer Secret.
7. Click Connect / Sign in with Salesforce.
8. A Salesforce login window opens. Log in as the Integration User, not your admin. The cleanest way is a private/incognito window so you aren’t auto-logged-in as yourself.
9. Approve the access request.

One quirk worth knowing: the first connect attempt sometimes errors for no clear reason. Click Connect again. It often takes two or three tries before you see Connection successful.

10. Save the credential in n8n.

How to Know It Worked

• n8n shows Connection successful or Account connected.
• In Salesforce, go to Setup, then Quick Find Connected Apps OAuth Usage, and you’ll see the n8n Integration app with the Integration User’s session.
• Build a one-node test in n8n: a Salesforce node set to Contact, then Get All with a limit of 1. Run it. If a contact comes back, the connection is live.

Troubleshooting: When the Connection Fails

Symptom	Likely cause	Fix
OAUTH_APPROVAL_ERROR_GENERIC at connect	Missing full scope (n8n always requests it), or PKCE still required	Add Full access (full) to the app scopes (Part 4, step 10) and uncheck Require PKCE (step 12). Save, wait 2 to 5 minutes, retry. This is the most common blocker.
Invalid code verifier	PKCE required but n8n isn’t sending a challenge	Uncheck Require PKCE on the app (Part 4, step 12), save, retry.
redirect_uri_mismatch	Callback URL in Salesforce doesn’t match n8n exactly	Re-copy from n8n (Part 1) and re-paste into the app (Part 4, step 9).
Enable OAuth checkbox greyed out	App record not saved, or you’re on the read-only overview	Save the app and reopen in edit mode (Part 4, step 8).
Connects but returns no data	Permission set not assigned, or no access to the object	Recheck Part 6.
Can read and edit but can’t create records (createable: false on every field)	Object-level Create permission is off	Enable Create on the object in the permission set (Part 7). It is object-level, not per-field.
Login-IP blocked	IP restrictions still on	Relax IP restrictions (Part 5, step 3).
Changes seem ignored	Salesforce OAuth propagation delay	Wait 2 to 5 minutes after saving, then retry the connect a couple of times.

What Comes After This

Once the connection is live, the setup is done and the actual work begins: building the workflows. A trigger that pushes a contact into Salesforce when they hit a qualification threshold, and something coming back the other way so your marketing platform knows when a contact becomes a customer and stops emailing them. If you’re connecting Mautic and Salesforce specifically, putting n8n in the middle gives you control over exactly which records and fields move and when, which is hard to get from a stock connector.

Frequently Asked Questions

Q: What is an External Client App in Salesforce? A: It’s the framework Salesforce now uses to authorize outside applications, replacing the older Connected App. Salesforce disabled the creation of new Connected Apps across all orgs by Spring ‘26, so any new integration, including n8n, has to be set up as an External Client App.

Q: Why does n8n throw OAUTH_APPROVAL_ERROR_GENERIC when connecting to Salesforce? A: The most common cause is a missing OAuth scope. n8n’s Salesforce node always requests the full scope, and if your External Client App doesn’t allow it, Salesforce rejects the entire authorization with that vague error. Add “Full access (full)” to the app’s scopes and turn off the PKCE requirement.

Q: Doesn’t giving the app the full OAuth scope make it insecure? A: No, because the OAuth scope only sets a ceiling on what the app can request. The actual access is controlled by the Integration User’s permission set, so a tightly scoped user can still only touch the objects and fields you allowed. The permission set is your real guardrail, not the OAuth scope.